Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query giving multiple results in the same field, how to parse?

MacAllen
Engager
‎08-14-2025 01:04 PM

Doing a query on AD events for adding users to groups.  There are 3 events, one for each type of group.  2 of them are very straight forward, account_name is the account, group_name is the group, easy peasy.  However, event 4756 shoves everything into the account_name field, so I get something like this:

Account_Name

my_username
CN=user_I_Added
Enterprise Admins
 
All of this is in 1 line.  Looking inside the event, I get this:
Subject:
Security ID: mysid
Account Name: my_username
Account Domain: my domain
Logon ID: 0xmyid
 
Member:
Security ID: hersid
Account Name: CN=her_username
 
Group:
Security ID: groupside
Account Name: Enterprise Admins
Account Domain: my_domain
 
I'd like to select on group_name, but for some reason Enterprise Admins is shoved into one of 3 Account_names in the same event.  Suggestions on parsing this?  "Moving" the name to group_name?
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-15-2025 12:00 AM

Given the fixed data syntax and segment order, @livehybrid's approach should work.  I'd like to offer a different, more semantic approach that depend less than exact order and string.

| rex mode=sed "s/(.*\n)*Message=.*\n//"
| eval data = split(_raw, "

")
| mvexpand data
| rex field=data max_match=0 mode=sed "s/(.+): *(.+)\n/\"\1\":\"\2\",\n/g
  s/,\n([^\"]+): *(.+)/,\"\1\":\"\2\"}\n}/g
  s/(.+): */{\n\"\1\":{/"
| spath input=data
| stats values(*) as * by RecordNumber
| fields - data

The idea is to convert structured Message into JSON so it handles all embedded data. (The above is one of several possible ways of doing this.)

Using the same emulation @livehybrid provides, this is the output:

RecordNumberComputerNameEventCodeGroup.Account DomainGroup.Account NameGroup.Security IDMember.Account NameMember.Security IDSubject.Account DomainSubject.Account NameSubject.Logon IDSubject.Security ID
1098888999DC.ACME.COM4756my_domainEnterprise AdminsgroupsideCN=her_usernamehersidmy domainmy_username0xmyidmysid

If space in field names such as "Group.Account Name" is a hindrance, they can be replaced with a printable character before or after.

Hope this helps.

View solution in original post

Tags (2)
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-15-2025 12:00 AM

Given the fixed data syntax and segment order, @livehybrid's approach should work.  I'd like to offer a different, more semantic approach that depend less than exact order and string.

| rex mode=sed "s/(.*\n)*Message=.*\n//"
| eval data = split(_raw, "

")
| mvexpand data
| rex field=data max_match=0 mode=sed "s/(.+): *(.+)\n/\"\1\":\"\2\",\n/g
  s/,\n([^\"]+): *(.+)/,\"\1\":\"\2\"}\n}/g
  s/(.+): */{\n\"\1\":{/"
| spath input=data
| stats values(*) as * by RecordNumber
| fields - data

The idea is to convert structured Message into JSON so it handles all embedded data. (The above is one of several possible ways of doing this.)

Using the same emulation @livehybrid provides, this is the output:

RecordNumberComputerNameEventCodeGroup.Account DomainGroup.Account NameGroup.Security IDMember.Account NameMember.Security IDSubject.Account DomainSubject.Account NameSubject.Logon IDSubject.Security ID
1098888999DC.ACME.COM4756my_domainEnterprise AdminsgroupsideCN=her_usernamehersidmy domainmy_username0xmyidmysid

If space in field names such as "Group.Account Name" is a hindrance, they can be replaced with a printable character before or after.

Hope this helps.

Tags (2)
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎08-14-2025 03:00 PM

Hi @MacAllen 

How about this?

| rex field=_raw max_match=10 "Account Name: (?<account_name>[^\n]+)"
| eval subject_name = mvindex(account_name,0)
| eval member_name   = mvindex(account_name,1)
| eval group_name    = mvindex(account_name,2)
| table subject_name member_name group_name

livehybrid_0-1755208760825.png

If your Account_names is already a multivalue field then you wont need to do the rex command, just pluck the relevant items from the mv field using mvindex. Full example below:

| windbag | head 1 | eval _raw="08/14/2025 01:21:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4756
EventType=0
Type=Information
ComputerName=DC.ACME.COM
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1098888999
Keywords=Audit Success
Message=A member was added to a security-enabled universal group.
Subject:
Security ID: mysid
Account Name: my_username
Account Domain: my domain
Logon ID: 0xmyid
 
Member:
Security ID: hersid
Account Name: CN=her_username
 
Group:
Security ID: groupside
Account Name: Enterprise Admins
Account Domain: my_domain
Additional Information:
Privileges: -"
| rex field=_raw max_match=10 "Account Name: (?<account_name>[^\n]+)"
| eval subject_name = mvindex(account_name,0)
| eval member_name   = mvindex(account_name,1)
| eval group_name    = mvindex(account_name,2)
| table subject_name member_name group_name

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...